One of the questions raised by Nicky Hager’s new book Dirty Politics is when it’s okay to access or publish confidential information. Has Hager has acted unlawfully by publishing the emails which he says were leaked to him after someone hacked into Cameron Slater’s Whale Oil site? On the other side of the coin, have the PM’s advisor, Jason Ede, and Cameron Slater done anything wrong if, as Hager claims, they accessed Labour’s donor and supporter data via a loophole in the party’s website? What about the hackers of Slater’s emails?

Publishing Dirty Politics

Let’s start with Hager. He claims that the book is based on thousands of pages of emails between Slater and others which were leaked to him out of the blue by an unnamed person or persons. He says the emails were obtained during an attack on the Whale Oil site following Slater’s comment “Feral dies in Greymouth, did world a favour.” There is no suggestion that Hager was himself involved in the hacking of the emails so the question is: was Hager entitled to publish the emails he published?

The answer is yes, as long as the public interest in the emails outweighs the competing rights of those who wrote them. So how do we work that out? There is a pretty good argument that material in Dirty Politics is in the public interest. The public interest is particularly strong where information relates to the behaviour of elected politicians. Dirty Politics is making some serious allegations about that behaviour and it’s arguable that the public should hear them.

People also have no right to keep secret communications which reveal wrongdoing. This “iniquity” defence could justify many of Hager’s disclosures including, for example, the alleged exchange in which Slater and political commentator, Matthew Hooton, provide details of Hager’s address to lawyer, Cathy Ogders, who wants it made available to “vicious” individuals whom she appears to believe will have it in for him.

On the other side, though, are the emailers’ rights to privacy and confidentiality. There can be little question that the emails were confidential and that anyone reading them would have known that. Slater, Collins etc would probably also have a “reasonable expectation of privacy” in respect of the emails’ contents.

But how heavily does that weigh in the balance? The breach of privacy/confidentiality here is significant – the need to protect correspondence is widely recognised – but it is not at the worst end of the scale. Hager has not published information about the emailers’ health, sex lives, family lives, or financial position. And the emails disclosed were written by the parties in their professional capacity. This is not as serious as disclosing emails between, say, John Key and his wife or between David Cunliffe and his kids. In light of that, my money would be on the public interest prevailing.

Accessing Labour Party donor lists and supporters

So what about Hager’s allegation that, following a tip-off, Slater, Ede and others accessed sensitive information about Labour donors and supporters via a loophole in their website? Does that account, if accurate, reveal wrongdoing?

Accessing a computer without authorisation is a crime under section 252 of the Crimes Act 1961. It says:

(1) Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.

“Access” and “computer system” are defined pretty broadly and so the provision would seem to catch the activity allegedly undertaken by Ede and Slater. The question is whether Ede and Slater knew or were reckless about whether their access was unauthorised. Slater and Ede might be able to claim that they assumed that their access was “authorised” because they got the information via a publicly available website.

But there are lots of ways such an argument could be refuted. Its success might depend, for example, on how easily Slater and Ede got hold of the information – if a person needed a tip off and/or sophisticated computer skills to get at the donor and supporter lists, it would be hard to argue they thought they were for general consumption.

And what about other indications that the information was not intended for Ede and Slater’s eyes? Might the structure of the website have made this clear? Or the nature of the information itself – a court might say it is obvious, for example, that members of the public weren’t meant to be seeing donors’ credit card details.

Ede and Slater’s subsequent comments are relevant here too. According to Hager, Ede writes an email expressing relief that Labour didn’t realise he’d accessed their material. And Slater wrote a blog post talking about “Labour’s Leaks”. These comments could undermine any argument that they thought they were allowed the material all along.

Labour might also have a claim for damages against the hackers. The strongest claim here is in breach of confidence. Recent English case law (Tchenguiz v Imerman)says that it is a breach of confidence simply toaccessconfidential information which is stored on a computer, even if you don’t publish it. It is not clear yet whether New Zealand will follow that decision but if they do, the two key questions would be: was the donor and supporter information confidential, and if it was, should Ede and Slater have known that?

The answer to the second question is probably yes – for the reasons set out above. The first question is trickier. Information can’t be confidential if it is widely available. So Ede and Slater could argue that, given it could be obtained via a public website, the donor and supporter information is not confidential. This argument could run into trouble though if the information was not easy to get. Again, if individuals needed inside knowledge and/or sophisticated computer skills to obtain donor and supporter lists then they probably remained confidential.

The Whale Oil hackers

That leaves the question of the conduct of the hackers who obtained Slater’s emails. It seems pretty likely that their behaviour was both criminal and a breach of Slater, Collins, Ede etc’s confidence and privacy. However, since we don’t know exactly what they did or how they did it, it is difficult to comment further.

Dr Nicole Moreham is Associate Professor of Law at Victoria University of Wellington

55 responses to this post

... as long as the public interest in the emails outweighs the competing rights of those who wrote them.

That's not quite right. There is public interest also in maintaining confidences. It's that balance which is important -- see ANZ v Blum:

A distinction must be drawn between what is in the public interest and what is interesting to the public. The defence of public interest will not depend solely on proof that the information disclosed misconduct on the part of the plaintiff. The Court has to weigh the competing issues of public interest in maintaining the secrecy of confidential information and in being informed on matters which are of real public concern. The disclosure of confidential information on this basis demands more than a claim that it is in the public interest that the truth be told.

8gigs of letters the correspondents expected to remain private. All about politicians and fringe operators. 6 weeks before an election. Of course the public will be interested. Not sure about real public concern. Some people get really concerned really quickly over normal behaviour these days.

As far as I remember, Labour's information was only available due to a combination of oversight and misconfiguration of their servers (allowing access to data they should have denied, or data that should have been stored elsewhere entirely).

It's extremely likely that not even Labour wanted to be able to access the information in the manner that it was by WhaleOil (they would have other, authorised ways to get at it, such as legitimate login/ftp accounts on the server). More likely, they simply didn't realise it could be accessed that way, and if someone would have told them, they would have removed that avenue of access.

Perhaps an analogy would be leaving your door unlocked. If someone thinks to try the door and finds it unlocked, then lifts your mail from where you left it inside the door, is it still unauthorised? My intuition says yes - they're obviously tresspassing, and haven't been authorised to do so - but I don't know how well this analogy carries into the law around hacking.

If I go to a public space, say a store or a museum, and someone tips me off that the door to their records room has a faulty lock, and I then take advantage of that to help myself to a bit of a look through their records, it would be a fair stretch to suggest that that was authorised access to a public space. The same would apply even if the door were left ajar accidentally - despite being able to access the room, it would be very clear that it was a private space.

Surely the same must apply in the virtual world to a public website: it would become obvious very quickly that records in the back end of the website aren't intended for public access, even if inadvertently accessible.

Just because a door is unlocked - physically or virtually - that doesn't entitle anyone to go through it.

Accessing a computer without authorisation is a crime under section 252 of the Crimes Act 1961. It says:(1)...

I've been going back and forth on this since the release. My current position (of many shifting ones) is that it's subsection (2) that is important in determining whether the offence was committed, but it is difficult to see how far that would go.

Subsection 2 says:

To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.

The question then is: does Cameron Slater have authority to access the server that hosts the Labour Party website? Well, it's a publicly available website, that they put up there so that people can go to their website and download stuff from that server into their cache to read on their browsers. If Cameron doesn't have authority (because, for example, it's not express authority), I don't see how any of us can lawfully look at it.

If Cameron, and you and I have authorisation to access the server that hosts labour.org.nz for the purpose of viewing the Labour Party's website, then is there any basis on which section 252(2) doesn't come into play if once we access the server, we do things that it was not intended we should do?

Obviously, if once there, those unauthorised things we are doing on that computer system (which we are authorised to access for other purposes), we do things for other reasons, eg to cause damage to the site, or to do something dishonest etc. other computer crimes may arise (such as section 249, or section 250). These offences can be committed on computer systems you have been authorised to access, because they don't include something equivalent to section 252(2), but there has been no suggestion to date that Cameron Slater or Jason Ede (or anyone else) accessed the Labour server in a way which might give rise to an offence under s 249 or s 250.

There may still be privacy issues, but I'm tending to the view that what has been alleged is not a breach of section 252, because of subsection 2. I think we all have authorisation to access the computer system which operates as the server hosting the Labour Party website.

I'd include those factors within the phrase "the competing rights of those who wrote them". You're right that the societal importance of having confidences respected has been specifically acknowledged by the courts (that point comes through strongly in English cases like Prince of Wales v Associated Newspapers too) but the results in the cases invariably turns on the perceived importance of the facts which have been disclosed.

Graeme, I don't think you are right about s 252(2). You have to go back to s 248(b). A computer system is defined to include any part of a computer system. That means you can commit the offence in s 252(1) in relation to part of a computer system. The question in s 252(2) becomes whether you were authorised to access that part. I believe that this is the only interpretation that makes any sense. Under the interpretation you set out, for example, anyone with a Google account could hack into anyone else's Google account with impunity, as long as they were both on the same server.

Reading advertising in a shop window and someone’s PIN number over their shoulder are not the same thing, and reading blog posts is not the same as downloading archived backups.

Would you feel confident in your lack of legal culpability doing the latter? I think *most* of us would know they were doing the wrong thing.

Analogy I know, but there are various ways of "accessing" computers - and whether they are legitimate or not may not be a question of technical implementation as much as knowingly doing wrong. (It's legal for me to pick my own locks, but not yours.)

That would also imply that (provided I didn't actually steal any money) that I could hack my way into http://anz.co.nz/personal/ without fear of prosecution, because I've got implied authorisation to access the front page and so on.

(As Felix said, as well)

I'd agree, it's a tricky area - one view would say that ignoring robots.txt (the file that controls where web crawlers should go) is illegal access. Another would say that the computer has been configured by the the owner with a set of rules as to who can gain access - hence if the computer doesn't stop you, it isn't illegal.

I was part of the InternetNZ working group on their submission to the SOP which inserted the authorisation clauses you mention here.

We were very concerned about section 2's vague meaning, and seemed to be completely contrary to any abiliity to enforce the crime being described. As you've noted, it would seem to allow absolutely any other purpose no matter how much of a violation that is merely because some part of a system a person was authorised to use.

The Select Committee chose not to remove it (and I can't even find an acknowledgement of the point in their report), and that's where we are now.

The fact that Ede and Slater exchanged messages expressing concern at being caught, is fairly strong evidence that they knew that they had accessed the data without authorisation. I hope they are prosecuted for it.

A better analogy would be a half-open door without any signage. Many websites have hidden actions that aren't visible until some blank area is clicked, and it would be very hard to prove a naive clicker knew they were wandering into forbidden territory.

But Ede was clearly worried people would figure out what he was doing, There’s no naive clickers here, there’s paid professionals snooping and talking about evading security measures. The question of proof in the case of the naive clicker simply isn’t that relevant here.

Not better at all. The content could not be found by clicking. The content could be found by deliberately looking for it by trying various requests (aka: "what happens if we go to labour.org.nz/backups?), but there's no way that content was overtly linked from on their website, and no way they intended for it to be accessed by the public in that fashion.